pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/databases
This was ok gdt@ for pkgsrc-pmc, since we're in a freeze.
Please mention this in commit messages, thank you!
Thomas
On Mon, Sep 14, 2015 at 04:32:27PM +0000, Emmanuel Dreyfus wrote:
> Module Name: pkgsrc
> Committed By: manu
> Date: Mon Sep 14 16:32:27 UTC 2015
>
> Modified Files:
> pkgsrc/databases/openldap: distinfo
> pkgsrc/databases/openldap-client: Makefile
> pkgsrc/databases/openldap-server: Makefile
> Added Files:
> pkgsrc/databases/openldap/patches: patch-its7595
>
> Log Message:
> Add support for ECDH, from upstream
>
> After the recent logjam attack, longer DH parameter size have been advised.
> Unfortunately, this comes with a high computational cost. ECDH is a good
> alternative to acheive forward secrecy with lower CPU Loads.
>
> This patch is a backport from upstream ECDH umplementation. ECDH is
> enabled by speciying a curve name through the TLSECName directive.
> Valid curve names can be obtaines by openssl ecparam -list_curves
>
> Advised usage for a forward-secrecy only setup wiht only ECDH:
> TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSECName prime256v1
>
> If backward compatibility with older clients is required:
> TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSECName prime256v1
>
> Backward compatible flavor with more forward secrecy, at
> the expense of using costly DH. dh2048.pem is obtained using openssl
> dhparam 2048 > /etc/openssl/certs/dh2048.pem
> TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSDHParamFile /etc/openssl/certs/dh2048.pem
> TLSECName prime256v1
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.101 -r1.102 pkgsrc/databases/openldap/distinfo
> cvs rdiff -u -r1.20 -r1.21 pkgsrc/databases/openldap-client/Makefile
> cvs rdiff -u -r1.44 -r1.45 pkgsrc/databases/openldap-server/Makefile
> cvs rdiff -u -r0 -r1.1 pkgsrc/databases/openldap/patches/patch-its7595
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
Home |
Main Index |
Thread Index |
Old Index